Recently my site got hit by one of those automated scripts that plants spam in the comments section of news stories. Not a huge problem, I installed a random graphical code mod to the comments section and that seems to have resolved the issue. I'm mostly posting this out of curiosity hoping someone might be able to point me to a resource to better understand what exactly is being run against my site.

I run a dedicated RHE 3 / Apache 1.3 server with PHP-Nuke 7.6 Chatserv patches, Sentinel and the Protector system.

Essentially the way this went down is that someone registered on the site and then later unleashed this bot that was making the posts to the comments of news articles under that user ID. Where things start to look weird is that when going to the locate panel in the Protector system. There were zero hits when you search by user ID but when you search by IP address it shows the user as being anonymous. I don't allow anonymous posts to the comments section. Additionally it appears this script uses 6 different IP addresses that it cycles through which tells me that somehow they are spoofing both the IP and the user ID. Each one of the posts had a random quote at the end.

When I put in the graphical code mod I also changed the password on the account in question but that didn't seem to make a difference. Every day I see the user id in the who's online block and now it almost seems stuck on the site for hours. Could they be doing something with cookies or session id's to get past the login?

When viewing the raw access logs it reveals a whole lot of nothing except the HTTP protocol is different on some of the entries. Distributed? More spoofing? I dont know.

As I said, the graphical code pretty much resolved the issue and I will probably blow away the user account. Iím just curious if this is some well-known exploit and I missed installing a patch somewhere along the line.

I have the same issue on my site, banned all the proxies (it seems to run on proxies) and deleted the "user". It/he/she had to sign up first to get through. So I hope it'll be fixed now. Also put the hackattempt script on my site.
It only spams in the comments so far. Mainly pretty annoying. The thing signed up under the nick "ivorybruno".

The more drastic thing I could do is of course totally lock down the site and let signups go through admin ... this wouldn't be my choice to run a site. I prefer nice and easy over keys, lockdowns, approvals and other security crap. Just looking at this spam idiot leaves me no choice.

I checked that first IP, and they've been on my site 47 times, trying to crack my ODP module!

So, I suppose the prudent action would be to ban all those IPs...

_________________.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::.

Since it had to sign up to spam my artikel comments I could watch it for a day or two. It's not totally overloading the site with crap. It spams 2 or 3 comments under a different IP everytime. Makes me wonder ... is he doing all that manually all day long? Dang what a crap job that would be

I checked sentinel and the tracked IP's and it only gives 1 to 3 hits per IP. Seems a bit sneaky ... I mean if you see 2000 hits of an IP you'll check it out right away.

For me it's quite easy to watch it since my site is in Dutch and IPs from other countries than NL or BE drag my attention immediately.

Well that's an easy question lol. It signed up to comment on articles. This is the crap it spams (note: I replaced the spamwords with "stuff") and as you can see it always ends with some quote a random quote.

This is from my database since I backed that one up and check to see if it did more than just that. The rest I already deleted of course!

And this is from sentinel tracking:

Code:

http://www.xiffa.nl/modules.php?username=sayContent-Type: multipart/alternative; boundary=0fbf4ac113d1614acd60ccdf672f4438MIME-Version: 1.0Subject: become a manufactory the brokenbcc: Only registered users can see links on this board! Get registered or login! is a multi-part message in MIME format.--0fbf4ac113d1614acd60ccdf672f4438Content-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitcould not comprehend myself thought it must be my imagination. became quite fainthearted, denied my own hearing, and said, o, have only dreamed and commenced reckoning and counting to employ my mind but that did no good, and it nearly--0fbf4ac113d1614acd60ccdf672f4438--.
http://www.xiffa.nl/modules.php?username=chosen2122@xiffa.nl&redirect=canContent-Type: multipart/alternative; boundary=f302ebd8d13e486f759929b6a5c06d1dMIME-Version: 1.0Subject: his neck, sprang forward and ran barking after thebcc: Only registered users can see links on this board! Get registered or login! is a multi-part message in MIME format.--f302ebd8d13e486f759929b6a5c06d1dContent-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitfor all that, and ended with a quotation from ean aul. alf an hour afterward she slept and dreamed her round white arm lay--f302ebd8d13e486f759929b6a5c06d1d--.&f=chosen2122@xiffa.nl&user_password=chosen2122@xiffa.nl&t=chosen2122@xiffa.nl&op=chosen2122@xiffa.nl&mode=chosen2122@xiffa.nl
http://www.xiffa.nl/modules.php?username=not4687@xiffa.nl&redirect=not4687@xiffa.nl&f=not4687@xiffa.nl&user_password=arcadesContent-Type: multipart/alternative; boundary=10ff90b4bbe4440456a49216cf1a6176MIME-Version: 1.0Subject: me churchesbcc: Only registered users can see links on this board! Get registered or login! is a multi-part message in MIME format.--10ff90b4bbe4440456a49216cf1a6176Content-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitmake necessary preparations, the improbabilities of accomodation for so large a party not being taken into account of her adyship s calculations. he steepness and impracticability of the roads already began to undermine her--10ff90b4bbe4440456a49216cf1a6176--.&mode=not4687@xiffa.nl&t=not4687@xiffa.nl&op=not4687@xiffa.nl
http://www.xiffa.nl/modules.php?username=sail4070@xiffa.nl&redirect=sail4070@xiffa.nl&f=watchContent-Type: multipart/alternative; boundary=f40aed27e89ffaeefe1da3dd9c61df9cMIME-Version: 1.0Subject: bull in the other. o, ir, you donbcc: Only registered users can see links on this board! Get registered or login! is a multi-part message in MIME format.--f40aed27e89ffaeefe1da3dd9c61df9cContent-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitbe precipt an example to be quick on me feet. n these days whin a man--f40aed27e89ffaeefe1da3dd9c61df9c--.&user_password=sail4070@xiffa.nl&t=sail4070@xiffa.nl&mode=sail4070@xiffa.nl&op=sail4070@xiffa.nl
http://www.xiffa.nl/modules.php?redirect=ith6472@xiffa.nl&username=asContent-Type: multipart/alternative; boundary=b86f060bb619dc0d38f2c26bc2e7f97fMIME-Version: 1.0Subject: grave can see where thebcc: Only registered users can see links on this board! Get registered or login! is a multi-part message in MIME format.--b86f060bb619dc0d38f2c26bc2e7f97fContent-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitand plants fresh islands presented themselves for centuries did a more powerful development and improvement show themselves, until the perfection was attained which we now perceive ut the ible does not--b86f060bb619dc0d38f2c26bc2e7f97f--.&f=ith6472@xiffa.nl&user_password=ith6472@xiffa.nl&t=ith6472@xiffa.nl&op=ith6472@xiffa.nl&mode=ith6472@xiffa.nl
http://www.xiffa.nl/modules.php?username=a3494@xiffa.nl&redirect=a3494@xiffa.nl&f=a3494@xiffa.nl&user_password=a3494@xiffa.nl&mode=yeContent-Type: multipart/alternative; boundary=da54fd6adad78a88e57686b9ae29affaMIME-Version: 1.0Subject: aris. oor, though wellborn, her object was tobcc: Only registered users can see links on this board! Get registered or login! is a multi-part message in MIME format.--da54fd6adad78a88e57686b9ae29affaContent-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitthey must indeed get into the throng. s in the iddle ges the various professions had their distinct streets and quarters, so had they also here. he street which led to the--da54fd6adad78a88e57686b9ae29affa--.&t=a3494@xiffa.nl&op=a3494@xiffa.nl

It pretends to be using email adresses with my domain grrrrrrr ... don't ask me how or why or what it's exactly doing.

yes a little add to this all: I'm running my site on a nice webhosting service so I can't see what it's doing beyond the site so to say.

The only reoccuring thing I see is that it seems to bcc (blind copy mail?) to aol mail accounts with all comments. I can't tell if it's a string or anything

Code:

bcc: Only registered users can see links on this board! Get registered or login!
bcc: Only registered users can see links on this board! Get registered or login!
bcc: Only registered users can see links on this board! Get registered or login!

Is there any consistent string, user agent, anything that we might be able to auto ban these guys with NS' string blocker?

No there doesnít seem to be anything consistent. What FiLiUsEvAe posted appears to be identical thing that hit my site. I also noticed the same pattern in that it will post a limited number of comments under different IPís and then come back in the next day or so and do it again. Itís just enough to fly under the radar until one day you notice you are flooded with spam posts. I donít think someone is manually doing it either because once I put in the graphical code in on comments it kept blindly making posts.

The thing that I find most curious is what the heck they are doing with the login?
Itís strange because the posts list a valid user ID but the user id shows no hits on the site. When you check the IP of the posts they show as an anonymous user? And then to show as online after I changed the password is really odd.

Could they somehow be forging cookies or something like that?

Iím not exactly a huge fan of those graphical confirmation codes but it does seem like the only pro-active way to deal with it.

Again it "visited" my site. This time he wasn't signed up anymore, I banned its nick and whatever was possible to ban of it. Because of that it wasn't able to post anything anywhere although it did try. Note that my site is in Dutch and I don't have many members. The members I do have I value very much. So for me it is quite easy to follow this spamthing. I can imagine the spamdamage this thing could create on a multilingual site with a lot of members.

Here is what it tried today and again it bcc-ed to some aol mail account. This is a list of IP adresses and which places went by at what times (sorry those times are GMT+1). Note that since he isn't a "member" anymore I can't track him by nickname and not all IP adresses have to be "his". The only IP I'm sure of is 218.53.83.141, so don't blindly ban all IP's. They're basically from countries you wouldn't expect on a Dutch site. So yes I banned them all .

(2 hits) 218.53.83.141 /modules.php?username=and8276@xiffa.nl&redirect=osalieContent-Type: multipart/alternative; boundary=bdc716ca27369039a7f0d82be8922324MIME-Version: 1.0Subject: wails iv th wounded tax payers. t twelve fifteenbcc: Only registered users can see links on this board! Get registered or login! is a multi-part message in MIME format.--bdc716ca27369039a7f0d82be8922324Content-Type: text/plain; charset=\"us-ascii\"MIME-Version: 1.0Content-Transfer-Encoding: 7bitmoney, said r. ennessy. ell, sir, said r. ooley here s a judge on th binch says twinty five dollars is as much as a man needs to enther th--bdc716ca27369039a7f0d82be8922324--.&f=and8276@xiffa.nl&user_password=and8276@xiffa.nl&gfx_check=and8276@xiffa.nl&random_num=and8276@xiffa.nl&mode=and8276@xiffa.nl&op=and8276@xiffa.nl&t=and8276@xiffa.nl

/modules.php?name=Stories_Archive 06:42:25

(1 hit) 202.146.67.238 /modules.php?name=Reviews 06:42.47

I don't think it's an exploit. I think it's just taking advantage of the easy way to spam and that would be signing up and use a quickspam toy like an autoform fill out thingy or so. It's not hacking or cracking anything nothing totally agressive so far anyway.

I just did a google search with one of the email accounts it uses for bcc ... Only registered users can see links on this board! Get registered or login! and it comes up with quite some results of sites it has been spamming.

This site seems to have a detailed idea of what's going on Only registered users can see links on this board! Get registered or login!
It's absolutely worth reading.

Once a vulnerable script is found, the BCC line is filled with 25 or 30 addresses to spam. If the form doesn't set reply-to before the exploited field or the reply-to is a bad address or nobody pays attention to logs, the site owner may never know his site is compromised and enslaved as a spam bot.

How vulnerable is the ravendistro to this? I mean the comments, reviews, feedback and other forms in nuke ... are they vulnerable to "exploits" like this?

I know it has to sign up to show visible spam on my site ... if I ban the "user" it still spams but it's going nowhere on my site, I just see it "trying" in sentinel tracking ... I don't know if it's still doing anything behind the screens.

This stuff is far beyond my PHP skills.

I don't know if you're busy with this thing or anything ... if so I'll just wait. For now I have all modules set for members only. Still I'd prefer to have a lot of things read only to all. But well .... I have to protect my members as much as I can.

I havenít had the bcc entries like you have but I came across a little more information that might offer some clues. Yesterday I deleted the spammer account and have since then noticed it as being logged in at least 4 times since then which is sort of spooky. I also enabled the Sentinel page tracker and concentrated on anonymous users with just a few hits. To my surprise I found about 30+ different IPís in the last 24 hours running a similar exploit.

Some were the original scam we were discussing but I also found a second one thatís also doing some really weird things and this one appears to be putting random email addresses in the string.

I also did a google search on src21 which was part of the url of most of the links in the spam postings and found page after page of Nuke sites with the same comment spam so obviously these guys get around. The interesting thing is that every one of those sites does not use the graphical code for logins.

I have no evidence that these attacks are successful anymore because I am not getting any more comment spam since I put in the graphical code mod and the mail que seems to be clean. What I am bothered about the login strings. I donít fully understand how to interpret them so itís hard to determine if this is an actual threat to the site or not. I am also hoping someone with greater knowledge about this will chime in.

The first snippet is the original scam and the next 2 is the new one I found this morning both seem to be doing about the same thing with the login. Whatís odd about the first snippet is that the account is deleted yet it just sails right through the login and starts trying to post again.

Since I locked down the comments and reviews and all that stuff, put in the gfx code for users as well instead of just admin, deleted its user ID and banned the IPs it has been using on my site .... I finally seem to have a little bit of peace.

It is still there though and I'm watching it closely ... it seems (from reading and such I did) that IF it is successful on a spambreach it'll use your mailserver or whatever for spam.

Yours does look a bit different dkrager still it spams the same crap and uses the same random end quote.

Those login trials I see in your codeblock .... it doesn't seem to use your own domain ... on my site it used my own domain at the end and random numbers and nicks before the @. And of course it used a BCC in the string

Creepy crap .....

Do you have your own mailserver? Did you check the logs? That's what one should do according to the stuff I read so far . In those logs you should see some weird stuff IF it is doing something nasty.

src21.com seems to be compromised - there are tools and utilities on their site that can assist with cross site scripting attacks like the ones you are experiencing.

Make sure you add those domain names to your referer blocker (and that your referer blocker is active) as that will certainly help.

I get about 20 or 30 attacks every day on my code-authors.com website, mostly to modules that are not even installed. I'll be updating my SpamList blocker module on Monday with a number of compromised and spamming domains.

*Tip of the Day*
When you download a back up of your site, always run a file compare against your previous back up. Even if you check your logs religously, this will quickly help you identify any files which may have been uploaded through an exploit to your webspace which you might not have otherwise found.
Remember, incorrectly set up servers/ old server software versions can be compromised regardless of what you may have in your webspace.

See the post above.
The Code-authors.com Spamlist blocker may not stop comment spamming what it does is block the referer, so for example if the comments are inserted via a tool loaded on another site or a bot and we know the referer, we can block the referer from the site and this render that particular bot or tool useless. Because by default the referer is redirected it also saves precious bandwidth and helps preserver your page rank by helping to prevent none relevant back links / text links.

As with any tool of this type, it is only as good as the referer list and thus relies on user feedback to request additional referers to be blocked.

View next topicView previous topic
You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou can attach files in this forumYou can download files in this forum